03-30-2011 05:41 AM
Hi everyone,
We are currently migrating our network from IP to MPLS and we encounter an issue with a only one application using security certificat through HTTPS. All other services are OK such as HTTP, FTP, Mailing, etc.
Network description :
The network architecture is composed by 4 core routers (which play the role of P and PE at the same time) and 2 borders routers (B1 and B2) linked to Internet via STM1 - POS interfaces.
Each borders are both connected to two core routers (C1 and C2) by GigabitEthernet links.
Please also note that there is a DPI (Deep Packet Inspector, model Arbor 100) between each border and core.
Core routers C1,C2, C3 and C4 are connected to each other by GigabitEthernet links.
B1 and B2 are linked to Internet by STM1 (POS) using eBGP.
OSPF is used as the infrastructures routing protocol between all equipments.
(cf the network diagram attached)
Configuration :
When migrating to MPLS, we fixed interfaces MTU at 9216 and the MPLS MTU at 1512 on all concerned interfaces from Core to Border routers.
Below is a sample configuration.
mpls ip
mpls label protocol ldp
mpls ldp router-id loopback0
interface GigabitEthernet1/1
mtu 9216
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 XXXXXXXXXXX
ip ospf network point-to-point
ip ospf cost 1
ip ospf hello-interval 1
mpls mtu 1512
mpls ip
Problem :
The service application uses a server on the local network (linked via CE router) which send https requests and files to a server located in the Internet.
When MPLS is activated only on the Core-To-Core interfaces (C1, C2, C3 and C4) the application is working properly.
But when the MPLS is expanded on Core-To-Border / Border-To-Core interfaces, this specific application fails as it appears that the certificate server sees a corrupted frame, some bits have been added to the normal frame. But all other services (HTTP, FTP, everything,)
Below are major differences between Border and Core routers connection schemes:
Regards.
04-04-2011 11:24 PM
Hi,
Would it be possible to disable the functionality of the DPI (passthrough mode?) and test again?
MPLS labels or not on the packet should not make a difference wrt HTTPS only (in theory).
Since you mention corrupted frames, taking a packet capture should show you if this is true or not.
Thanks,
Luc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide